> Hidden community string in SNMP implementation > > Synopsis: > > Internet Security System (ISS) X-Force has discovered a serious > vulnerability in Sun Microsystems(r) Solstice(tm) Enterprise Agent(tm) > and the Solaris operating system. This SNMP hidden community string is > hard coded into the binary and can not be configured nor is it in the > configuration files. The hidden Sun SNMP community word is not the same > as the hidden HP SNMP community string. This vulnerability allows > attackers to execute arbitrary commands with root privileges, manipulate > system parameters, and kill processes. we're having some interesting results with this. In version 1.0.3 of the SEA SDK (as opposed to just the runtime stuff), the strings 'all public' and 'all private' are present in the mibiisa binary. It is possible to read the entire mib using the 'all private' COI, however, we are having difficulty using either 'private' or 'all private' to write values. This includes when we have actually configured the SNMP daemon to use private. =-) On a system using 1.0.1 it is possible to use the 'all private' to kill processes, kill connections, etc.... Interestingly, it is also possible to use 'private' to change the system information. Again, as far as we can tell, we are _not_ using private as a COI when we can change these values. We did not attempt any spoofing. --topher
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:23:41 PDT